UBUNTU-CVE-2026-41650

fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "--" sequence in comment content or the "" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection...

CVE-2026-41650

CVE-2026-41650 affects fast-xml-parser XMLBuilder prior to v5.7.0, where unescaped "-->" in comments and "]]>" in CDATA can lead to XML injection when user-controlled data is built into XML from JavaScript objects. This can enable XSS, SOAP injection, or data manipulation as described in th...

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the -- sequence in comment content or the sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data...

GHSA-GH4J-GQV2-49F6 fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the -- sequence in comment content or the sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data...

PT-2026-34614

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions prior to 5.7.0 Description XMLBuilder fails to escape the "--" sequence in comment content and the "" sequence in CDATA sections when generating XML from JavaScript objects. This flaw enables XML injection if...

Linux Distros Unpatched Vulnerability : CVE-2026-34601

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom...

CVE-2026-34601

CVE-2026-34601 affects the xmldom library (and @xmldom/xmldom) via a CDATA terminator handling flaw. Attacker-controlled strings containing the CDATA terminator ]]> could be inserted into a CDATASection and, during XMLSerializer output, emitted verbatim, turning text into active XML markup and...

PT-2026-22872

Name of the Vulnerable Software and Affected Versions International Datacasting Corporation IDC SFX Series SuperFlex Satellite Receiver Web management Interface version 101 Description The application does not properly neutralize special elements within the /IDC Logging/checkifdone.cgi script,...

CVE-2026-27458

LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...